Gatekeeper inqaba-security/gatekeeper
v1.x

Configuration Reference

All configuration lives in config/siem.php (publish it with php artisan vendor:publish --tag=siem-config). This page lists every key, its environment variable, and its default.

Master switch#

Key Env Default Description
enabled SIEM_ENABLED true Disable to stop all collection and shipping without removing middleware or listeners

Service identity#

Attached to every event as ECS service.* fields so the SOC can attribute events to a system.

Key Env Default
service.name SIEM_SERVICE_NAME APP_NAME
service.environment SIEM_SERVICE_ENV APP_ENV

Sinks#

Key Env Default Description
sinks.active SIEM_SINKS log Comma-separated list of destinations: sentinel, wazuh, syslog, slack, teams, log, null

Any sink entry may define minimum_severity — events below that level are not shipped to that sink. See the individual sink pages for their full settings:

Queue shipping#

Key Env Default Description
queue.enabled SIEM_QUEUE true Ship events on the queue (recommended)
queue.connection SIEM_QUEUE_CONNECTION app default Queue connection
queue.name SIEM_QUEUE_NAME siem Queue name
queue.tries 3 Delivery attempts per sink
queue.backoff [5, 30, 120] Seconds between retries

GeoIP enrichment#

Key Env Default Description
geoip.enabled SIEM_GEOIP false Add ECS source.geo.* fields at delivery time
geoip.driver SIEM_GEOIP_DRIVER maxmind maxmind (local database) or ipapi (HTTP)
geoip.cache_minutes 1440 Per-IP lookup cache TTL
geoip.maxmind.database SIEM_GEOIP_MMDB storage/app/geoip/GeoLite2-City.mmdb Path to the .mmdb file
geoip.ipapi.url SIEM_GEOIP_URL ip-api.com template Lookup URL; {ip} is substituted
geoip.ipapi.timeout 3 HTTP timeout in seconds

Event collection#

Key Env Default Description
events.authentication.enabled SIEM_EVENTS_AUTH true Master toggle for auth listeners
events.authentication.login_succeeded true Per-event toggles also exist for login_failed, logout, registered, password_reset, lockout, email_verified
events.minimum_severity SIEM_MIN_SEVERITY info Global severity floor; events below it are dropped entirely

Honeypots#

Route honeypots — honeypots.routes#

Key Env Default Description
enabled SIEM_HONEYPOT_ROUTES true Register decoy routes
paths see below Decoy URIs; strings or arrays with path, methods, where
response_status 404 HTTP status returned to the attacker
tarpit_ms SIEM_HONEYPOT_TARPIT 0 Delay the response up to N ms (0 disables)
auto_block SIEM_HONEYPOT_AUTOBLOCK true Block the source IP after a hit
block_minutes 1440 Block duration

Default decoy paths include .env, .git/config, wp-login.php, wp-admin, xmlrpc.php, phpmyadmin, backup.sql and other high-signal probe targets.

Form honeypot — honeypots.form#

Key Env Default Description
field SIEM_HONEYPOT_FIELD website_url_confirm Name of the invisible input
timer_field SIEM_HONEYPOT_TIMER_FIELD _hp_time Name of the encrypted timestamp input
min_seconds 2 Submissions faster than this are treated as bots
respond reject reject (422) or silent (fake success)

Endpoint abuse detection — abuse#

Key Env Default Description
window_minutes 1 Detection window
auth_failures_threshold SIEM_ABUSE_AUTH_THRESHOLD 10 401/403/419/423 responses → brute_force_detected
not_found_threshold SIEM_ABUSE_404_THRESHOLD 25 404s → scanning_detected
throttled_threshold SIEM_ABUSE_429_THRESHOLD 5 429s → rate_limit_abuse
request_threshold SIEM_ABUSE_REQUEST_THRESHOLD 0 Total requests → endpoint_abuse (0 disables)
auto_block SIEM_ABUSE_AUTOBLOCK false Block the offender when a detection fires
block_minutes 60 Block duration

Resource enumeration detection — enumeration#

Key Env Default Description
window_minutes 5 Detection window (fixed, not sliding)
sequential_threshold SIEM_ENUM_SEQUENTIAL 5 Constant-stride numeric ID run length
max_stride 1000 Strides larger than this don't count as sequential
distinct_threshold SIEM_ENUM_DISTINCT 15 Distinct IDs touched per route pattern
miss_ratio 0.5 Share of 404/403/410 responses
miss_min_requests 10 Minimum requests before the miss ratio applies
auto_block SIEM_ENUM_AUTOBLOCK false Block the scanner
block_minutes 60 Block duration

Egress monitoring — egress#

Watches outgoing HTTP calls (Http client) per destination host. Alert-only. See Egress Monitoring.

Key Env Default Description
enabled SIEM_EGRESS false Subscribe to HTTP client events and monitor outbound calls
ignore_hosts SIEM_EGRESS_IGNORE [] Hosts never monitored (sink/GeoIP hosts are auto-suppressed)
bucket_seconds 60 Counting bucket size for spike baselining
new_destination.enabled SIEM_EGRESS_NEW_DEST true Alert on first-ever call to a host
new_destination.ttl_minutes 43200 How long a host stays "known" (30 days)
spike.enabled SIEM_EGRESS_SPIKE true Alert on volume above rolling baseline
spike.history_buckets 30 Baseline window = this × bucket_seconds
spike.multiplier 5 Fire at multiplier × baseline
spike.min_count 20 Absolute floor so low volume never trips
limits.window_minutes 1 Hard-limit window
limits.default SIEM_EGRESS_LIMIT 0 Default per-host cap (0 = none)
limits.targets [] Per-host caps, e.g. ['api.stripe.com' => 1000]
errors.enabled true Alert on failed-response surges
errors.window_minutes 1 Error-spike window
errors.threshold SIEM_EGRESS_ERROR_THRESHOLD 25 4xx/5xx/failures per host per window

Request threat scanner — scanner#

Key Env Default Description
block SIEM_SCANNER_BLOCK false Reject flagged requests with 400 (detection-only by default)
except_inputs password, password_confirmation Input keys skipped entirely
max_value_length 8192 Only the first N characters of each value are scanned

IP blocklist — blocklist#

Key Env Default Description
enabled SIEM_BLOCKLIST true Enforce the blocklist in siem.block middleware
cache_store SIEM_CACHE_STORE app default Cache store backing the blocklist
response_status 403 Status returned to blocked IPs
never_block SIEM_NEVER_BLOCK 127.0.0.1,::1 IPs/CIDRs that can never be auto-blocked

Privacy — privacy#

Key Env Default Description
redact_keys password, token, api_key, ... Context keys replaced with [REDACTED] (recursive)
hash_usernames SIEM_HASH_USERNAMES false Ship user.name as a sha256 hash
include_request_body SIEM_INCLUDE_BODY false Reserved for shipping request bodies with events